CVE-2026-3945 Overview
An integer overflow vulnerability exists in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) condition by exhausting all available worker connections.
The issue occurs because chunk size values are parsed using strtol() without properly validating overflow conditions (e.g., errno == ERANGE). A crafted chunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existing validation check (chunklen < 0), leading to a signed integer overflow during arithmetic operations (chunklen + 2). This results in incorrect size calculations, causing the proxy to attempt reading an extremely large amount of request-body data and holding worker connections open indefinitely.
Critical Impact
An attacker can exploit this behavior to exhaust all available worker slots, preventing new connections from being accepted and causing complete service unavailability for the tinyproxy service.
Affected Products
- tinyproxy version 1.11.3 and earlier
- All tinyproxy installations using HTTP chunked transfer encoding
- Systems relying on tinyproxy for proxy services without the upstream patch
Discovery Timeline
- 2026-03-30 - CVE CVE-2026-3945 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-3945
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The root issue lies in the HTTP chunked transfer encoding parser within tinyproxy's request handling code. When processing HTTP requests with chunked transfer encoding, the parser reads the chunk size from the incoming data and converts it from hexadecimal using strtol().
The vulnerability exploits a gap in the validation logic. While the code checked for negative values (chunklen < 0), it failed to account for the case where strtol() returns LONG_MAX when parsing an extremely large hexadecimal value like 0x7fffffffffffffff. Since LONG_MAX is positive, it passes the negative check. When the code subsequently performs arithmetic operations such as chunklen + 2, the signed integer wraps around, producing undefined behavior and incorrect buffer size calculations.
The practical impact is that the proxy enters a state where it attempts to read an impossibly large amount of data, effectively hanging the worker thread indefinitely. Since tinyproxy uses a fixed pool of worker threads, an attacker can systematically exhaust all available workers by sending multiple malicious requests, rendering the service completely unavailable.
Root Cause
The root cause is improper input validation in the HTTP chunked transfer encoding parser within src/reqs.c. The strtol() function was used to parse chunk sizes without checking for errno == ERANGE, which indicates that the parsed value exceeds the representable range. Additionally, the original validation only checked for negative values, failing to reject extremely large positive values that would cause integer overflow in subsequent arithmetic operations.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can send a specially crafted HTTP request with chunked transfer encoding containing an oversized chunk length value. The attack requires:
- Network access to a tinyproxy instance
- Ability to send HTTP requests with custom chunked transfer encoding headers
- No authentication or special privileges required
The attack can be automated to rapidly exhaust all worker threads, causing a complete denial of service.
The initial patch in commit 969852c added a check for negative values:
}
chunklen = strtol (buffer, (char**)0, 16);
+ if (chunklen < 0) goto ERROR_EXIT;
if (pull_client_data (connptr, chunklen+2, 0) < 0)
goto ERROR_EXIT;
Source: GitHub Commit Details - 969852c
However, this initial fix was insufficient. The complete fix in commit bb7edc4 addresses both negative values and extremely large positive values that could cause overflow:
}
chunklen = strtol (buffer, (char**)0, 16);
- if (chunklen < 0) goto ERROR_EXIT;
+ /* prevent negative or huge values causing overflow */
+ if (chunklen < 0 || chunklen > 0x0fffffff) goto ERROR_EXIT;
if (pull_client_data (connptr, chunklen+2) < 0)
goto ERROR_EXIT;
Source: GitHub Commit Details - bb7edc4
Detection Methods for CVE-2026-3945
Indicators of Compromise
- Tinyproxy worker threads becoming unresponsive or stuck in read operations
- Unusual HTTP requests containing extremely large hexadecimal chunk size values (e.g., 7fffffffffffffff)
- Sudden increase in connection timeouts for clients attempting to use the proxy
- Log entries showing malformed chunked transfer encoding requests
Detection Strategies
- Monitor tinyproxy process for abnormal memory usage or stuck worker threads
- Implement network-level detection for HTTP requests containing chunk sizes exceeding reasonable thresholds
- Configure intrusion detection systems to alert on chunked transfer encoding with hexadecimal values longer than 8 characters
- Deploy application-layer firewalls to validate HTTP chunked encoding before reaching tinyproxy
Monitoring Recommendations
- Set up alerts for tinyproxy service availability and worker thread pool exhaustion
- Monitor connection queue length and new connection rejection rates
- Implement health checks that verify tinyproxy can accept and process new connections
- Log and analyze all incoming HTTP requests with chunked transfer encoding for anomalous patterns
How to Mitigate CVE-2026-3945
Immediate Actions Required
- Apply the upstream patch from commit bb7edc4 to your tinyproxy installation
- If patching is not immediately possible, implement network-level filtering to block requests with abnormally large chunk sizes
- Consider temporarily disabling tinyproxy if it is internet-facing and cannot be patched
- Monitor existing tinyproxy instances for signs of exploitation
Patch Information
The vulnerability has been addressed upstream in commit bb7edc4. However, the latest stable release (1.11.3) remains affected at the time of publication. Organizations should either apply the patch manually from the GitHub repository or wait for a new stable release that includes the fix.
For more details, see:
Workarounds
- Place tinyproxy behind a reverse proxy or web application firewall that validates HTTP chunked encoding
- Implement rate limiting on incoming connections to slow down potential DoS attacks
- Restrict network access to tinyproxy to trusted IP ranges only
- Consider using an alternative proxy solution until a patched stable release is available
# Configuration example - restrict tinyproxy access to trusted networks
# Add to tinyproxy.conf
Allow 10.0.0.0/8
Allow 192.168.0.0/16
# Deny all other connections by default
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
